# Apache OpenDAL™ Downloads

The official Apache OpenDAL releases are provided as source artifacts.

## Releases

import DownloadLink from '@site/src/components/DownloadLink';

The latest source release is <DownloadLink/>.

For older releases, please check the [archive](https://archive.apache.org/dist/opendal/).

For even older releases during the incubating phase, please check the [incubator archive](https://archive.apache.org/dist/incubator/opendal/).

## Notes

* When downloading a release, please verify the OpenPGP compatible signature (or failing that, check the SHA-512); these should be fetched from the main Apache site.
* The KEYS file contains the public keys used for signing release. It is recommended that (when possible) a web of trust is used to confirm the identity of these keys.
* Please download the [KEYS](https://downloads.apache.org/opendal/KEYS) as well as the .asc signature files.

### To verify the signature of the release artifact

You will need to download both the release artifact and the .asc signature file for that artifact. Then verify the signature by:

* Download the KEYS file and the .asc signature files for the relevant release artifacts.
* Import the KEYS file to your GPG keyring: 

```shell
gpg --import KEYS
```

* Verify the signature of the release artifact using the following command:
  
```shell
gpg --verify <artifact>.asc <artifact>
```

### To verify the checksum of the release artifact

You will need to download both the release artifact and the .sha512 checksum file for that artifact. Then verify the checksum by:

```shell
shasum -a 512 -c <artifact>.sha512
```
